feat(gateway): isolate certificate generation from certbot by abstracting it

Author: henrybarreto

gateway/certbot.go

@@ -91,125 +91,177 @@ type DNSProvider string
 // DigitalOceanDNSProvider represents the Digital Ocean DNS provider.
 const DigitalOceanDNSProvider = "digitalocean"
 
-type Tunnels struct {
-	// Domain is the default domain used to generate certificate for Tunnels.
-	Domain string
-	// Provider is the DNS provider used to generate wildcard certificates.
-	Provider DNSProvider
-	// Token is a DNS token used to generate wildcard certificates.
-	Token string
-}
-
 type Config struct {
 	// RootDir is the root directory for CertBot configurations.
 	RootDir string
-	// Domain is the default domain used to generate certificate for ShellHub.
-	Domain string
 	// Staging defines if the CertBot will use the staging server to generate certificates.
 	Staging bool
 	// RenewedCallback is a callback called after certificate renew.
 	RenewedCallback func()
+}
 
-	Tunnels *Tunnels
+type Certificate interface {
+	String() string
+	Generate(staging bool) error
 }
 
-// CertBot handles the generation and renewal of SSL certificates.
-type CertBot struct {
-	Config *Config
+type DefaultCertificate struct {
+	RootDir string
+	Domain  string
 
 	ex Executor
-	tk Ticker
 	fs afero.Fs
 }
 
-func newCertBot(config *Config) *CertBot {
-	return &CertBot{
-		Config: config,
+func NewDefaultCertificate(domain string) Certificate {
+	return &DefaultCertificate{
+		Domain: domain,
 
-		ex: new(executor),
-		tk: new(ticker),
+		ex: NewExecutor(),
 		fs: afero.NewOsFs(),
 	}
 }
 
-// ensureCertificates checks if the SSL certificate exists and generates it if not.
-func (cb *CertBot) ensureCertificates() {
-	certPath := fmt.Sprintf("%s/live/%s/fullchain.pem", cb.Config.RootDir, cb.Config.Domain)
-	if _, err := cb.fs.Stat(certPath); os.IsNotExist(err) {
-		cb.generateCertificate()
+func (d *DefaultCertificate) startACMEServer() *http.Server {
+	mux := http.NewServeMux()
+	mux.Handle(
+		"/.well-known/acme-challenge/",
+		http.StripPrefix(
+			"/.well-known/acme-challenge/",
+			http.FileServer(
+				http.Dir(filepath.Join(d.RootDir, ".well-known/acme-challenge")),
+			),
+		),
+	)
+
+	server := &http.Server{
+		Handler: mux,
 	}
 
-	if cb.Config.Tunnels != nil {
-		// NOTE: We are recreating the INI file every time to ensure it has the latest token from the environment.
-		cb.generateProviderCredentialsFile()
+	listener, err := net.Listen("tcp", ":80")
+	if err != nil {
+		log.WithError(err).Fatal("failed to start ACME server listener")
+	}
 
-		certPath := fmt.Sprintf("%s/live/*.%s/fullchain.pem", cb.Config.RootDir, cb.Config.Tunnels.Domain)
-		if _, err := cb.fs.Stat(certPath); os.IsNotExist(err) {
-			if err := cb.generateCertificateFromDNS(); err != nil {
-				log.WithError(err).Fatal("failed to generate the certificate from DNS")
-			}
+	go func() {
+		if err := server.Serve(listener); err != nil && !errors.Is(err, http.ErrServerClosed) {
+			log.WithError(err).Fatal("acme server error")
 		}
+	}()
+
+	return server
+}
+
+// stopACMEServer stops the local ACME server.
+func (d *DefaultCertificate) stopACMEServer(server *http.Server) {
+	if err := server.Close(); err != nil {
+		log.WithError(err).Fatal("could not stop ACME server")
 	}
 }
 
-// generateCertificate generates a new SSL certificate using Certbot.
-func (cb *CertBot) generateCertificate() {
+func (d *DefaultCertificate) Generate(staging bool) error {
 	log.Info("generating SSL certificate")
 
-	challengeDir := fmt.Sprintf("%s/.well-known/acme-challenge", cb.Config.RootDir)
-	if err := cb.fs.MkdirAll(challengeDir, 0o755); err != nil {
-		log.WithError(err).Fatal("failed to create acme challenge on filesystem")
+	challengeDir := fmt.Sprintf("%s/.well-known/acme-challenge", os.TempDir())
+	if err := d.fs.MkdirAll(challengeDir, 0o755); err != nil {
+		log.WithError(err).Error("failed to create acme challenge on filesystem")
+
+		return err
 	}
 
-	acmeServer := cb.startACMEServer()
+	acmeServer := d.startACMEServer()
 
-	cmd := cb.ex.Command(
-		"certbot",
+	args := []string{
 		"certonly",
 		"--non-interactive",
 		"--agree-tos",
 		"--register-unsafely-without-email",
 		"--webroot",
-		"--webroot-path", cb.Config.RootDir,
+		"--webroot-path", d.RootDir,
 		"--preferred-challenges", "http",
 		"-n",
 		"-d",
-		cb.Config.Domain,
-	)
-	if cb.Config.Staging {
+		d.Domain,
+	}
+
+	if staging {
 		log.Info("running generate with staging")
 
-		cmd.Args = append(cmd.Args, "--staging")
+		args = append(args, "--staging")
 	}
+
+	// Build the CertBot command
+	cmd := d.ex.Command(
+		"certbot",
+		args...,
+	)
+
 	cmd.Stdout, cmd.Stderr = os.Stdout, os.Stderr
 
-	if err := cmd.Run(); err != nil {
-		log.Fatal("Failed to generate SSL certificate")
+	if err := d.ex.Run(cmd); err != nil {
+		log.Error("Failed to generate SSL certificate")
+
+		return err
 	}
 
-	cb.stopACMEServer(acmeServer)
+	d.stopACMEServer(acmeServer)
 
 	log.Info("generate run")
+
+	return nil
+}
+
+func (d *DefaultCertificate) String() string {
+	return d.Domain
+}
+
+type TunnelsCertificate struct {
+	// Domain is the default domain used to generate certificate for Tunnels.
+	Domain string
+	// Provider is the DNS provider used to generate wildcard certificates.
+	Provider DNSProvider
+	// Token is a DNS token used to generate wildcard certificates.
+	Token string
+
+	ex Executor
+	fs afero.Fs
+}
+
+func NewTunnelsCertificate(domain string, provider DNSProvider, token string) Certificate {
+	return &TunnelsCertificate{
+		Domain: domain,
+
+		Provider: provider,
+		Token:    token,
+
+		ex: NewExecutor(),
+		fs: afero.NewOsFs(),
+	}
 }
 
-func (cb *CertBot) generateProviderCredentialsFile() (afero.File, error) {
-	token := fmt.Sprintf("dns_%s_token = %s", cb.Config.Tunnels.Provider, cb.Config.Tunnels.Token)
-	file, err := cb.fs.Create(fmt.Sprintf("/etc/shellhub-gateway/%s.ini", string(cb.Config.Tunnels.Provider)))
+func (d *TunnelsCertificate) generateProviderCredentialsFile() (afero.File, error) {
+	token := fmt.Sprintf("dns_%s_token = %s", d.Provider, d.Token)
+
+	file, err := d.fs.Create(fmt.Sprintf("/etc/shellhub-gateway/%s.ini", string(d.Provider)))
 	if err != nil {
 		log.WithError(err).Error("failed to create shellhub-gateway file with dns provider token")
 
 		return nil, err
 	}
 
-	file.Write([]byte(token))
+	if _, err := file.Write([]byte(token)); err != nil {
+		log.WithError(err).Error("failed to write the token into credentials file")
+
+		return nil, err
+	}
 
 	return file, nil
 }
 
-func (cb *CertBot) generateCertificateFromDNS() error {
+func (d *TunnelsCertificate) Generate(staging bool) error {
 	log.Info("generating SSL certificate with DNS")
 
-	file, err := cb.generateProviderCredentialsFile()
+	file, err := d.generateProviderCredentialsFile()
 	if err != nil {
 		log.WithError(err).Error("failed to generate INI file")
 
@@ -222,28 +274,28 @@ func (cb *CertBot) generateCertificateFromDNS() error {
 		"--agree-tos",
 		"--register-unsafely-without-email",
 		"--cert-name",
-		fmt.Sprintf("*.%s", cb.Config.Tunnels.Domain),
-		fmt.Sprintf("--dns-%s", cb.Config.Tunnels.Provider),
-		fmt.Sprintf("--dns-%s-credentials", cb.Config.Tunnels.Provider),
+		fmt.Sprintf("*.%s", d.Domain),
+		fmt.Sprintf("--dns-%s", d.Provider),
+		fmt.Sprintf("--dns-%s-credentials", d.Provider),
 		file.Name(),
 		"-d",
-		fmt.Sprintf("*.%s", cb.Config.Tunnels.Domain),
+		fmt.Sprintf("*.%s", d.Domain),
 	}
 
-	if cb.Config.Staging {
+	if staging {
 		log.Info("running generate with staging on dns")
 
 		args = append(args, "--staging")
 	}
 
-	cmd := cb.ex.Command( //nolint:gosec
+	cmd := d.ex.Command( //nolint:gosec
 		"certbot",
 		args...,
 	)
 
 	cmd.Stdout, cmd.Stderr = os.Stdout, os.Stderr
 
-	if err := cb.ex.Run(cmd); err != nil {
+	if err := d.ex.Run(cmd); err != nil {
 		log.WithError(err).Error("failed to generate SSL certificate")
 
 		return err
@@ -254,41 +306,38 @@ func (cb *CertBot) generateCertificateFromDNS() error {
 	return nil
 }
 
-// startACMEServer starts a local HTTP server for the ACME challenge.
-func (cb *CertBot) startACMEServer() *http.Server {
-	mux := http.NewServeMux()
-	mux.Handle(
-		"/.well-known/acme-challenge/",
-		http.StripPrefix(
-			"/.well-known/acme-challenge/",
-			http.FileServer(
-				http.Dir(filepath.Join(cb.Config.RootDir, ".well-known/acme-challenge")),
-			),
-		),
-	)
+func (d *TunnelsCertificate) String() string {
+	return d.Domain
+}
 
-	server := &http.Server{
-		Handler: mux,
-	}
+// CertBot handles the generation and renewal of SSL certificates.
+type CertBot struct {
+	Config *Config
 
-	listener, err := net.Listen("tcp", ":80")
-	if err != nil {
-		log.WithError(err).Fatal("failed to start ACME server listener")
-	}
+	Certificates []Certificate
 
-	go func() {
-		if err := server.Serve(listener); err != nil && !errors.Is(err, http.ErrServerClosed) {
-			log.WithError(err).Fatal("acme server error")
-		}
-	}()
+	ex Executor
+	tk Ticker
+	fs afero.Fs
+}
 
-	return server
+func newCertBot(config *Config) *CertBot {
+	return &CertBot{
+		Config: config,
+
+		ex: new(executor),
+		tk: new(ticker),
+		fs: afero.NewOsFs(),
+	}
 }
 
-// stopACMEServer stops the local ACME server.
-func (cb *CertBot) stopACMEServer(server *http.Server) {
-	if err := server.Close(); err != nil {
-		log.WithError(err).Fatal("could not stop ACME server")
+// ensureCertificates checks if the SSL certificate exists and generates if it doesn't.
+func (cb *CertBot) ensureCertificates() {
+	for _, certificate := range cb.Certificates {
+		certPath := fmt.Sprintf("%s/live/%s/fullchain.pem", cb.Config.RootDir, certificate)
+		if _, err := cb.fs.Stat(certPath); os.IsNotExist(err) {
+			certificate.Generate(cb.Config.Staging)
+		}
 	}
 }